[openstack-announce] [OSSA 2014-028] Glance store DoS through disk space exhaustion (CVE-2014-5356)

Tristan Cacqueray tristan.cacqueray at enovance.com
Thu Aug 21 14:09:07 UTC 2014

OpenStack Security Advisory: 2014-028
CVE: CVE-2014-5356
Date: August 21, 2014
Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2

Thomas Leaman and Stuart McLaren from Hewlett Packard reported a
vulnerability in Glance. By uploading a large enough image to a Glance
store, an authenticated user may fill the store space because the
image_size_cap configuration option is not honored. This may prevent
further image upload and/or cause service disruption. Note that the
import method is not affected. All Glance setups using API v2 are
affected (unless you use a policy to restrict/disable image upload).

Juno (development branch) fix:

Icehouse fix:

Havana fix:

This fix will be included in the Juno-3 development milestone and in
future 2013.2.4 and 2014.1.3 releases.


Tristan Cacqueray
OpenStack Vulnerability Management Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140821/f1a2ef0e/attachment.pgp>

More information about the OpenStack-announce mailing list